破解LeapFTP 2.7:
本來今天是要CRACK'百裡挑一'的,可是我追了好久,沒發現什麼頭緒.又剛好我的網頁的上傳要用到FTP於是好裝了LeapFTP 2.7(但最終用不了:-(我這是要經過學校的代理伺服器的,我沒設定好,出許設定好了也不能用,學校的'好網'),於是在沒能破'百裡挑一'就拿它來開刀了.
還是這樣在註冊對話方塊裡填上:
NAME:Vitamin C
NUM.:1234ABCD
在SICE裡用BPX HMEMCPY設斷,中斷後按十幾次F12後來到程式核心(用BORLAND DELPHI也的程式都這樣的):
...
:00487183 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:00487189 E83AC8FAFF call 004339C8/*這個CALL取得NUM.*/
:0048718E 8B45F8
mov eax, dword ptr [ebp-08]
:00487191 8D55FC
lea edx, dword ptr [ebp-04]
:00487194 E81719F8FF call 00408AB0
:00487199 80BBF402000000 cmp byte ptr [ebx+000002F4],
00
:004871A0 740E
je 004871B0
:004871A2 8B55FC
mov edx, dword ptr [ebp-04]
:004871A5 8BC3
mov eax, ebx
:004871A7 E888030000 call 00487534
:004871AC 84C0
test al, al
:004871AE 7526
jne 004871D6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004871A0(C)
|
:004871B0 8B83F0020000 mov eax, dword
ptr [ebx+000002F0]
:004871B6 50
push eax
:004871B7 8D55F4
lea edx, dword ptr [ebp-0C]
:004871BA 8B83D0020000 mov eax, dword
ptr [ebx+000002D0]
:004871C0 E803C8FAFF call 004339C8/*取得NAME*/
:004871C5 8B55F4
mov edx, dword ptr [ebp-0C]/*傳入了NAME->EDX*/
:004871C8 8B4DFC
mov ecx, dword ptr [ebp-04]/*傳入了NUM.->ECX/*
:004871CB 8BC3
mov eax, ebx
:004871CD E8BA010000 call 0048738C/*關鍵的CALL*/
:004871D2 84C0
test al, al/*AL要不等於0*/
:004871D4 7462
je 00487238/*要不完了!*/
...
在這段程式碼從:004871C5--:004871D4這幾行,一看便會想到這是典型的NUM.處理格式!當然在關鍵的CALL(:004871CD)前並沒有傳入正確的NUM.但要是你不理這幾行試試你會發現很就GAME
OVER了...要你用RFL Z將:004871D4的跳轉方向改變程式便會感謝你的註冊^_^
好了,不用多說,用F8跟進此CALL:
...
:00487443 8B55F8
mov edx, dword ptr [ebp-08]/*傳入輸入的NUM.*/
:00487446 B808754800 mov eax,
00487508/*傳入了字元'-'*/
:0048744B E8A0CDF7FF call 004041F0/*這個CALL用於計算輸入的NUM.裡'-'以前的
:00487450 8BC8
mov ecx, eax 字元的個數*/
:00487452 49
dec ecx
:00487453 BA01000000 mov edx,
00000001
:00487458 8B45F8
mov eax, dword ptr [ebp-08]
:0048745B E8ACCCF7FF call 0040410C
:00487460 8B45E0
mov eax, dword ptr [ebp-20]/*這裡傳入字元'-'前的字元
:00487463 8B5508
mov edx, dword ptr [ebp+08] 和'214065'*/
:00487466 E8A9CBF7FF call 00404014/*此CALL關鍵,那兩個字串就在這個CALL裡比較*/
:0048746B 7548
jne 004874B5/*若不等則跳*/
:0048746D 8D45DC
lea eax, dword ptr [ebp-24]
:00487470 50
push eax
:00487471 8B55F8
mov edx, dword ptr [ebp-08]
:00487474 B808754800 mov eax,
00487508
:00487479 E872CDF7FF call 004041F0
:0048747E 50
push eax
:0048747F 8B45F8
mov eax, dword ptr [ebp-08]
:00487482 E87DCAF7FF call 00403F04
:00487487 5A
pop edx
:00487488 2BC2
sub eax, edx
:0048748A 50
push eax
:0048748B 8B55F8
mov edx, dword ptr [ebp-08]
:0048748E B808754800 mov eax,
00487508
:00487493 E858CDF7FF call 004041F0
:00487498 8BD0
mov edx, eax
:0048749A 42
inc edx
:0048749B 8B45F8
mov eax, dword ptr [ebp-08]
:0048749E 59
pop ecx
:0048749F E868CCF7FF call 0040410C
:004874A4 8B45DC
mov eax, dword ptr [ebp-24]/*傳入NUM.在'-'後的字元和
:004874A7 8B55EC
mov edx, dword ptr [ebp-14] 3337009290(正確的NUM.)*/
:004874AA E865CBF7FF call 00404014/*在這裡邊進行最後的比較.*/
:004874AF 7504
jne 004874B5/*不相等則跳*/
:004874B1 B301
mov bl, 01
:004874B3 EB02
jmp 004874B7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048746B(C), :004874AF(C)
|
:004874B5 33DB
xor ebx, ebx/*笨冬瓜兄說的,這是我們CRACKER的大敵啊!*/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874B3(U)
|
:004874B7 33C0
xor eax, eax
:004874B9 5A
pop edx
:004874BA 59
pop ecx
:004874BB 59
pop ecx
:004874BC 648910
mov dword ptr fs:[eax], edx
:004874BF 68F6744800 push 004874F6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874F4(U)
|
:004874C4 8D45DC
lea eax, dword ptr [ebp-24]
:004874C7 BA02000000 mov edx,
00000002
:004874CC E8D7C7F7FF call 00403CA8
:004874D1 8D45EC
lea eax, dword ptr [ebp-14]
:004874D4 E8ABC7F7FF call 00403C84
:004874D9 8D45F8
lea eax, dword ptr [ebp-08]
:004874DC BA02000000 mov edx,
00000002
:004874E1 E8C2C7F7FF call 00403CA8
:004874E6 8D4508
lea eax, dword ptr [ebp+08]
:004874E9 E896C7F7FF call 00403C84
:004874EE C3
ret/*這個RET是返回到:004874F6的.(就在下三句)*/
:004874EF E928C2F7FF jmp 0040371C
:004874F4 EBCE
jmp 004874C4
:004874F6 8BC3
mov eax, ebx/*把EBX傳入EAX,要能使EBX=1那我們就成功了!*/
:004874F8 5B
pop ebx
:004874F9 8BE5
mov esp, ebp
:004874FB 5D
pop ebp
:004874FC C20400
ret 0004/*在這返回,跳出整個關鍵CALL,且傳出AL的值*/
...
在這一整段的程式碼前還有一大段關鍵的程式碼,是用來計算正確的NUM.的,只是那裡用到了我最怕的浮點運算:-(我就放棄去分析它了...小菜菜就是菜啊!還有在這一大段程式碼裡從:0048746D->:0048749E是用了兩種方式來檢驗輸入的NUM.和正確的NUM.之間裡以'-'為界字元位數是否相同的.在上面的動態分析裡你會發現
我們在開始輸入的1234ABCD在:0048744B裡的那個CALL後就會計算出來的東東是個0.正因為這樣我就走彎路了,好久沒能看明白這段程式碼.其實,在正確的註冊碼:214065-3337009290裡,214065是固定的,只有3337009290是計算得來的.唉!這裡並沒有明確的比較'-'這個字元,但程式確實實在在的用間接的方式檢驗了它是否存在!
...
:00404014 53
push ebx
:00404015 56
push esi
:00404016 57
push edi
:00404017 89C6
mov esi, eax
:00404019 89D7
mov edi, edx
:0040401B 39D0
cmp eax, edx
:0040401D 0F848F000000 je 004040B2
:00404023 85F6
test esi, esi
...
這段是在:00487466和:004874AA裡的兩個CALL裡的關鍵程式碼.那個CMP,那個正確的NUM....
好了到這,對於我也就把它完成了.(沒找出演算法...以後吧!等我成了大蝦再說,呵呵^-^)
OK!
NAME:Vitamin C
NUM.:214065-3337009290
Vitamin C[抗壞血酸].2002.3.16.ZJ.GD.CHI.